Questions? Call 800-624-6242
|
|
|
|
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 315
Glossary
Accounting of Disclosures: This provision of the Privacy Rule gives indi-
viduals the right to receive a list of certain disclosures that a covered entity
has made of their protected health information in the past 6 years, including
disclosures made for research purposes.
Association for the Accreditation of Human Research Protection Programs,
Inc. (AAHRPP): An independent, nonprofit entity that accredits organiza-
tions’ human research protection programs.
Authorization: An individual’s written permission to allow a covered entity
to use or disclose specified protected health information (PHI) for a par-
ticular purpose. Authorization states how, why, and to whom the PHI will
be used and/or disclosed for research, and seeks permission for that use or
disclosure.
Autonomy: The capacity of a rational individual to make an informed,
uncoerced decision.
Business Associate: A person or entity who, on behalf of a covered entity,
performs or assists in performance of a function or activity involving the
use or disclosure of protected health information, such as data analysis,
claims processing or administration, utilization review, and quality assur-
ance reviews, or any other function or activity regulated by the HIPAA
Administrative Simplification Rules, including the Privacy Rule. Business
associates are also persons or entities performing legal, actuarial, account-
���
OCR for page 316
��� BEYOND THE HIPAA PRIVACY RULE
ing, consulting, data aggregation, management, administrative, accredita-
tion, or financial services to or for a covered entity where performing those
services involves disclosure of protected health information by the covered
entity or another business associate of the covered entity to that person or
entity.
Chronic Conditions Warehouse: Section 723 of the Medicare Prescrip-
tion Drug, Improvement, and Modernization Act of 2003 instructed the
Secretary of the U.S. Department of Health and Human Services to make
Medicare data more readily available to researchers studying chronic ill-
ness in the Medicare population, with the intent to help “identify areas
for improving the quality of care provided to chronically ill Medicare
beneficiaries, [and] reduce program spending.” The Chronic Conditions
Warehouse implements this requirement of the Act and contains fee-for-
services claims, enrollment/eligibility, and assessment data. Researchers can
efficiently access data on 21 predefined chronic health conditions, such as
diabetes, breast cancer, Alzheimer’s, and depression.
Common Rule: The federal rule that governs most federally funded research
conducted on human beings and aims to ensure that the rights of human
subjects are protected during the course of a research project, histori-
cally focusing on protection from physical and mental harm by stressing
autonomy and consent.
Confidentiality: Addresses the issue of how personal data that have been
collected for one approved person may be held and used by the organiza-
tion that collected the data, what other secondary or further uses may be
made of the data, and when the permission of the individual is required
for such uses.
Covered Entity: A health plan, a health care clearinghouse, or a health care
provider that transmits health information in electronic form in connection
with a transaction for which the U.S. Department of Health and Human
Services has adopted a standard.
Data Use Agreement: An agreement into which the covered entity enters
with the intended recipient of a limited dataset that establishes the ways in
which the information in the limited dataset may be used and how it will
be protected.
Deidentified Information: The Privacy Rule provides for two methods to
deidentify personally identifiable health information. Under the statistical
method, a statistician or person with appropriate training verifies that enough
OCR for page 317
���
GLOSSARY
identifiers have been removed that the risk of identification of the individual
is very small. Under the safe harbor method, data are considered deidentified
if the covered entity removes 18 specified personal identifiers from the data.
Effectiveness: The extent to which a specific test or intervention, when used
under ordinary circumstances, does what it is intended to do.
Efficacy: The extent to which a specific test or intervention produces a
beneficial result under ideal conditions (e.g., a clinical trial).
Fair Information Practices: Principles affording individuals the meaning-
ful right to control the collection, use, and disclosure of information, and
imposing affirmative responsibilities to safeguard information on those
who collect it.
Food and Drug Administration (FDA) Protection of Human Subjects Reg-
ulations: Regulations intended to protect the rights of human subjects
enrolled in research involving products that the FDA regulates (i.e., drugs,
medical devices, biologicals, foods, and cosmetics).
Health Care Clearinghouse: A public or private entity, including a billing
service, repricing company, community health management information
system or community health information system, and value-added networks
and switches, that either process or facilitate the processing of health infor-
mation received from another entity in a nonstandard format or containing
nonstandard data content into standard data elements or a standard trans-
action, or receive a standard transaction from another entity and process
or facilitate the processing of health information into a nonstandard format
or nonstandard data content for the receiving entity.
Health Care Provider: A provider of services (as defined in Section 1861(u)
of HIPAA, 42 U.S.C. 1395x(u)), a provider of medical or health services (as
defined in Section 1861(s) of HIPAA, 42 U.S.C. 1395x(s)), and any other
person or organization who furnishes, bills, or is paid for health care in the
normal course of business.
Health Information: Any information, whether oral or recorded in any
form or medium, that (1) is created or received by a health care provider,
health plan, public health authority, employer, life insurer, school or uni-
versity, or health care clearinghouse; and (2) relates to the past, present, or
future physical or mental health or condition of an individual; the provision
of health care to an individual; or the past, present, or future payment for
the provision of health care to an individual.
OCR for page 318
��� BEYOND THE HIPAA PRIVACY RULE
Health Insurance Portability and Accountability Act of 1996 (HIPAA): An
Act that requires, among other things, under the Administrative Simplifi-
cation subtitle, the adoption of standards for protecting the privacy and
security of personally identifiable health information.
Hybrid Entity: A single legal entity that is a covered entity, performs busi-
ness activities that include both covered and non-covered functions, and
designates its health care components as provided in the Privacy Rule. If
a covered entity is a hybrid entity, the Privacy Rule generally applies only
to its designated health care components. However, non-health care com-
ponents of a hybrid entity may be business associates of one or more of its
health care components, depending on the nature of the relationship.
Informed Consent: A legal form required by the Common Rule that
describes the potential risks and benefits of research and seeks permission
to involve the subject.
Institutional Review Boards (IRBs): “An administrative body established
to protect the rights and welfare of human research subjects recruited
to participate in research activities conducted under the auspices of the
institution with it is affiliated. The IRB has the authority to approve,
require modification in, or disapprove all research activities that fall
within its jurisdiction as specified by both the federal regulations and
local institutional policy” (Department of Health and Human Services
IRB Guidebook).
Limited Dataset: Refers to protected health information that excludes 16
categories of direct identifiers and may be used or disclosed, for purposes of
research, public health, or health care operations, without obtaining either
an individual’s authorization or a waiver or an alteration of authorization
for its use and disclosure, with a data use agreement.
Nonmaleficence: The ethical principle of doing no harm, based on the
Hippocratic maxim, primum non nocere, first do no harm.
Privacy: In this report, the privacy of personal health information pertains
to the collection, storage, and use of personal information and addresses
the question of who has access to personal information and under what
conditions.
Privacy Board: A board that is established to review and approve requests
for waivers or alterations of authorization in connection with a use or dis-
closure of protected health information as an alternative to obtaining such
OCR for page 319
���
GLOSSARY
waivers or alterations from an Institutional Review Board. A Privacy Board
consists of members with varying backgrounds and appropriate professional
competencies as necessary to review the effect of the research protocol on
an individual’s privacy rights and related interests. The board must include
at least one member who is not affiliated with the covered entity, is not
affiliated with any entity conducting or sponsoring the research, and is not
related to any person who is affiliated with any such entities. A Privacy
Board cannot have any member participating in a review of any project in
which the member has a conflict of interest.
Protected Health Information: Protected health information is personally
identifiable health information created or received by a covered entity.
Public Health: The Privacy Rule defines a public health authority as any
“federal, tribal, or local agency or person or entity acting under a grant of
authority or contract with the agency, including state and local health depart-
ments, the Food and Drug Administration, the Centers for Disease Control
and Prevention, and the Occupational Safety and Health Administration.”
Public Health Practice: “The collection and analysis of identifiable health
data by a public health authority for the purpose of protecting the health
of a particular community, where the benefits and risks are primarily
designed to accrue to the participating community” (Hodge, 2005; Hodge
and Gostin, 2004).
Public Health Research: “The collection and analysis of identifiable health
data by a public health authority for the purpose of generating knowledge
that will benefit those beyond the participating community who bear the
risks of participation” (Hodge, 2005; Hodge and Gostin, 2004).
Public Responsibility in Medicine and Research (PRIM&R): An organiza-
tion whose mission is to promote ethical research in both humans and
animals.
Quality Improvement: “Systematic, data-guided activities designed to bring
about immediate, positive change in the delivery of health care in a particu-
lar setting” (Baily et al., 2006).
Research: A systematic investigation, including research development, test-
ing, and evaluation, designed to develop or contribute to generalizable
knowledge.
Respect for Persons: The ethical principle requiring that individuals be
OCR for page 320
��0 BEYOND THE HIPAA PRIVACY RULE
treated as autonomous agents, and that individuals with diminished
autonomy are entitled to protection (HEW, 1979).
Security: “The procedural and technical measures required (a) to prevent
unauthorized access, modification, use, and dissemination of data stored
or processed in a computer system, (b) to prevent any deliberate denial of
service, and (c) to protect the system in its entirety from physical harm”
(Turn and Ware, 1976).
Selection Bias: This phenomenon occurs when data are more likely to be
collected from one subset of the population than from a representative
sample of the entire population. This can cause systematic differences
between the characteristics of the individuals included in a study and the
individuals not included.
Waiver of Authorization: The documentation that the covered entity obtains
from a researcher or an IRB or a Privacy Board that states that the IRB or
Privacy Board has waived or altered the Privacy Rule’s requirement that an
individual must authorize a covered entity to use or disclose the individual’s
protected health information for research purposes.
REFERENCES
Baily, M. A., M. Bottrell, J. Lynn, and B. Jennings. 2006. The ethics of using QI methods to im-
prove health care quality and safety. A Hastings Center Special Report 36(4):S1–S40.
HEW (Department of Health, Education and Welfare). 1979. The Belmont Report: Ethical
principles and guidelines for the protection of human subjects of research. http://ohsr.
od.nih.gov/guidelines/belmont.html (accessed August 21, 2008).
Hodge, J. G., Jr. 2005. An enhanced approach to distinguishing public health practice and
human subjects research. Journal of Law, Medicine & Ethics 33(1):125–141.
Hodge, J. G., and L. O. Gostin. 2004. Public health practice vs. Research: A report for public
health practitioners including cases and guidance for making distinctions. Atlanta, GA:
Council of State and Territorial Epidemiologists.
Turn, R., and W. H. Ware. 1976. Privacy and security issues in information systems. The
RAND Paper Series. Santa Monica, CA: The RAND Corporation.
